Beruflich Dokumente
Kultur Dokumente
An extended case study in which students can apply their COBIT knowledge to a real-life situation
C O B I T i n A c a d e m i a TM
IT Governance Institute
COBIT
IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprises information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Information Systems Audit and Control Association With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) is a recognised worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 35,000 professionals since inception, and the Certified Information Security Manager (CISM) designation, a groundbreaking credential earned by 5,000 professionals in its first two years. Disclaimer The IT Governance Institute, Information Systems Audit and Control Association [the Owner(s)] and the authors have designed and created COBIT in Academia and its related publications, titled COBIT Case Study: TIBO, COBIT Student Book, COBIT Caselets and COBIT Presentation Package, (the Work), primarily as an educational resource for educators. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the educator should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment. Disclosure Copyright 2004 IT Governance Institute. All rights reserved. This publication is intended solely for academic use and shall not be used in any other manner (including for any commercial purpose). Reproductions of selections of this publication are permitted solely for the use described above and must include the following copyright notice and acknowledgement: Copyright 2004 IT Governance Institute. All rights reserved. Reprinted by permission. COBIT in Academia may not otherwise be used, copied, or reproduced, in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written permission of the IT Governance Institute. Any modification, distribution, performance, display, transmission, or storage, in any form by any means (electronic, mechanical, photocopying, recording or otherwise) of COBIT in Academia is strictly prohibited. No other right or permission is granted with respect to this work. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590.7491 Fax: +1.847.253.1443 E-mail: research@isaca.org Web sites: www.itgi.org and www.isaca.org ISBN 1-893209-96-2 COBIT in Academia Printed in the United States of America
C O B I T i n A c a d e m i a TM
IT Governance Institute
C O B I T i n A c a d e m i a TM
IT Governance Institute
COBIT
TABLE OF CONTENTS
Purpose of This Document.....................................................................................................................................5 Case Study Description ..........................................................................................................................................7 One Day in the Life of the Outsourcing Story of TIBO ..................................................................................7 The Trusted Imperial Banking Organisations Profile.......................................................................................9 The Companys IT Environment .......................................................................................................................9 Projects..........................................................................................................................................................9 Technology..................................................................................................................................................10 Standards and Procedures ...........................................................................................................................10 Security .......................................................................................................................................................11 The Organisational Entities .............................................................................................................................11 Board of Directors.......................................................................................................................................11 Executive Committee ..................................................................................................................................11 Business Strategy Group.............................................................................................................................11 IT Coordination Committee........................................................................................................................12 IT Management ...........................................................................................................................................12 IT Teams......................................................................................................................................................12 Business Operational...................................................................................................................................12 Organisation Charts .........................................................................................................................................13 Additional Material ..............................................................................................................................................14 The Security Issue............................................................................................................................................14 Questions.....................................................................................................................................................14 Service Level Agreement of the Outsourcing Contract..............................................................................15 The Outsourcing Issue .....................................................................................................................................16 Questions.....................................................................................................................................................16 The Strategic Alignment Issue.........................................................................................................................16 Extra Background Information ...................................................................................................................16 Questions.....................................................................................................................................................17 Teaching Notes .....................................................................................................................................................18 Additional Material to Support This Case.......................................................................................................18 In General....................................................................................................................................................18 For the Outsourcing Issue ...........................................................................................................................18 For the Strategic Alignment Issue...............................................................................................................18 Suggested Solutions.........................................................................................................................................19 General Answers .........................................................................................................................................19 Expected Answers on Security ...................................................................................................................19 Expected Answers on Outsourcing .............................................................................................................20 Expected Answers on Strategic Alignment.................................................................................................21 Appendix ..............................................................................................................................................................22
C O B I T i n A c a d e m i a TM
IT Governance Institute
Introduction to COBIT
Security
Outsourcing
Strategic alignment
C O B I T i n A c a d e m i a TM
COBIT
The IT Governance Institute has also developed three other products that can accompany this case study: COBIT Student Book (mentioned previously); the COBIT Presentation Package, providing a comprehensive 80-slide PowerPoint deck on COBIT; and COBIT Caselets, which includes minicases for smaller COBIT exercises, to be used at the graduate and undergraduate levels.
C O B I T i n A c a d e m i a TM
IT Governance Institute
C O B I T i n A c a d e m i a TM
COBIT
Oh by the way, Steven, before you go. Do you have an idea about who we should call in as our guru on security for the audit committee meeting? You may recall, John, that we did put in a requisition for a senior CISO3 position but the conclusion of the executive committee was that we could do without. I am still having a debate with internal audit because they are trying to pin that responsibility on me, because Erik and Roger could not agree on who it should be. We really have only Ida Doano, our security administrator, and Ida would really be out of her depth in a board meeting. On his way back to his office, De Haes kept thinking about how it all had started. IT had planned the We-BOP project but did not have the development capabilities or skills, given that most of the IT people are mainframeoriented. During a golf game, De Haes heard from his friend at another financial company about a fabulous development company in Singapore that produces top-end, reusable, e-banking applications that could be used for outsourcing. A contract was made based on the standard vendors agreements, negotiated by De Haes and Guldentops and signed by TIBOs CEO. The banks legal department also reviewed the contract and some changes were made to its legal aspects. The service level agreement of the outsourcing contract4 covered: The scope of the work Time line definitions for development and rollout Performance, tracking and reporting Roles and responsibilities Payments and functionalities The intention was for the third-party service provider to provide full e-banking servicesincluding frontoffice functionality, interfaces to the back office and customer support functionsin two stages. At the first stage, customers would have access to their savings and checquing accounts. New functions to be integrated in the web application in the future were loans and credit cards. The back-office infrastructure had been developed internally and was operational. When the application went into operation, all went well. There was a small volume of users (5 percent of customer base). After six months, when the number of users grew, problems began with the quality of the service delivery, such as: Response time was unsatisfactory Customers could access the system only during specific times of the day (availability of the system). Occasionally, transactions were not being processed or were processed erroneously. As a result, the help desk received an increasing number of queries and complaints. The third-party supplier reported these complaints on a monthly basis and issued extra invoices because of the increase in support desk workload. Until now, these problems had not been escalated beyond the operational level where they were solved by IT and business people by putting in overtime.
3 4
Chief information security officer See the summary of the service level agreement on p. 15.
C O B I T i n A c a d e m i a TM IT Governance Institute
COBIT
IT_NetExpanded IT network and standardised applications platforms ForPayForeign payment services Work_itWorkflow application and remote connectivity for account managers TECHNOLOGY The IT environment consists of three distinct platforms. The mainframe platform provides the CoBAR primary business and financial applications; these include savings, chequing, loans, trust, personal banking and credit card interface (an alliance with a major credit card firm). All are real-time applications with nightly batch updates. The organisations clearing-settlement application and accounting applicationsgeneral ledger, accounts payable, fixed assets and bank reconciliationare also mainframe-based. The mainframe platform is also currently used for ForPay, as a service to other banks. A new client-server environment consisting of five UNIX servers will form the basis for the new CRM application in its initial stages of development. Connectivity to the corporate systems is provided by IT_Net, which is a virtual private network (VPN) supplied by the organisations telco supplier. Overall, the networking infrastructure is getting older and strained. Only senior managers have laptops. The PC network platform involves Windows servers utilised for file and print services, communication services and gateway services. PC workstations are running Windows. This is the platform for the Work_it application. Remote connectivity is to be introduced based on features available in IT_Net. Mainframe access is granted by a security administration system. UNIX security is provided by the host operating system; no proprietary security tools are used. Firewalls are installed and managed by the IT_Net supplier, as a managed service. The headquarters is home to approximately 600 employees. Nationwide, the corporation employs approximately 9,000 people, of which 450 are in IT. IT services are critical to all 600 headquarters employees. STANDARDS AND PROCEDURES IT procedures are developed in-house, and vary in quality and conformance from area to area within the IT group. IT strategy development is relatively informal; it is based on management discussion and documented via management meeting notes, rather than determined by a prescribed process or any standard format. IT would like more guidance from the business and the executive management, but strategic decisions are made on a project-by-project basis. The IT organisation is fairly traditional, with a systems development team, an operations team and a system and technology team. The management team consists of a manager for each of the three groups, plus the head of the department. System developments have been undertaken mostly in-house, based on the mainframe, with a system development life cycle (SDLC) methodology that was acquired some years ago and has been adjusted to suit the bank. In recent years these methods have been found to be outdated and too slow to undertake. However, they at least have ensured reasonable documentation of systems. There is little experience in acquiring packaged solutions. Only a few of the in-house team have any experience with client-server systems, and none have any web development experience.
10
C O B I T i n A c a d e m i a TM IT Governance Institute
C O B I T i n A c a d e m i a TM
IT Governance Institute
11
COBIT
The current strategic initiatives are: Closing low-performing branches (almost complete) Creating a web-based banking system to unload the demand for services at branch offices (We-BOP) (in progress) Developing CRM capabilities to create opportunities to cross-sell banking services (project initiated) IT COORDINATION COMMITTEE The IT coordination committee involves a mix of IT and user managers (see organisation chart). It meets monthly and is primarily concerned with the oversight of existing and future developments. It reports quarterly to the business strategy group. It has had little involvement with the We-BOP development because of the outsourced nature of its development and operation. IT MANAGEMENT The IT director and his management team are: Highly technical and want to make a mark in e-business, specifically through the web-enabled banking operations project, which they support strongly Concerned about the aging network, which may run out of capacity as a result of the move to e-banking Fully supportive of tight controls over IT In agreement that more co-operation is needed with the business strategy group, which generally supports IT management project priorities but does not always agree on what should be done first Firm believes that the current core systems can support the business for several more years, and are getting cranky when core systems rebuilding is brought up IT TEAMS The TIBO IT teams are: Highly qualified professionals with a strong quality focus; they have put strong project control and performance measurement in place. However, the latter is too detailed and used only at the local level. Constantly diverted by change management issues as a result of many changes to the applications and infrastructure Concerned about rapid change, especially the outsourcing and business-promoted projects that are not always commercially successful and take resources away from needed infrastructure investments, such as the new IT network to increase connectivity and standardise solutions Concerned with the increase in maintenance problems and decrease in available skills relative to the core systems and are actually becoming increasingly frustrated BUSINESS OPERATIONAL TIBO executives are: Becoming IT-literate and are a bit jealous of IT getting their budgets while they have had to downsize and IT has not Claiming they need increased remote connectivity and automated workflow solutions to be effective in a downsized branch network Complaining about throughput of, and support for, core systems and are pushing for SLAs and the rebuilding of the quickly-becoming-obsolete core systems Connecting more and more e-customers even if they do not bring in immediate income, whilst stressing the operational and support systems
12
C O B I T i n A c a d e m i a TM
IT Governance Institute
IT Organisation
Steven De Haes Director of Information Technology
IT Coordinating Committee
C O B I T i n A c a d e m i a TM
IT Governance Institute
13
COBIT
ADDITIONAL MATERIAL
THE SECURITY ISSUE QUESTIONS 1. In an anonymous call to the CFO, someone claims to have access to customer information leaked from the enterprise systems and substantiates it with a fax containing some sensitive information (names, account managers, etc.). a. Analyse the security risks. b. Recommend some good practices to better mitigate the risks. 2. You are informed that the breach occurred at the third party and are given a copy of the current (short and inadequate) service level agreement (SLA). The data leaked because the third party used real, live customer data during acceptance tests of the second phase on an insecure web server installation. a. Define what management should have put into the SLA relative to security. b. What do you think actually happened to allow these data to get into the public domain?
14
C O B I T i n A c a d e m i a TM
IT Governance Institute
Purpose of This Document This document constitutes an agreement between the outsourcer and the third party, defined in the next section, for the development of full e-banking services referred to as We-BOP. It details the environment, expectations, deliverables and responsibilities associated with the implementation of this agreement. Parties in the Agreement This agreement, dated as of February 200x, is between TIBO with offices located in . (hereafter named as the outsourcer) and ., with offices located in (hereafter named as the third-party supplier). Scope of Work The scope of this agreement is for the third-party supplier to develop a full ebanking service, We-BOP. This service includes: The development of a web-based front office with following functionalities: Access to savings account Access to chequing account Credit card administration Loan administration The development of the interfaces between the front office and the back office of the outsourcer The setup of customer support functions (help desk) for the developed WeBOP application Timeline Definitions for Development and Rollout The We-BOP application and its interface will be developed in two phases: Phase 1: To be operational 30 April 200x A web-based front office enabling: Access to savings account Access to chequing account The interface between the front office and the back office of the outsourcer A fully operational help desk function for customer support Phase 2: To be operational 31 March 200x+1 Extended functionalities of the web-based front office: Credit cards Loans Performance, Tracking and Reporting We-BOP The third party will report quarterly on the performance of the We-BOP system. This report will be sent to the IT director of the outsourcer. Help Desk The third party will report monthly regarding the help desk requests and how they are solved. This report will be sent to the IT director of the outsourcer. A specific error file, which can be accessed directly by the outsourcer, will be developed by the third party to keep track of and manage the reported errors.
Roles and Responsibilities Communication Contacts and communication between the outsourcer and the third party are by electronic mail, telephone and regular meetings. The outsourcer and the third party must communicate their group structure (and changes) to each other, so each group can maintain correct distribution lists. The outsourcer and the third party must inform each other of planned unavailability (e.g., meetings, holidays, replacements, backup specialists). Responsibilities of the Outsourcer The outsourcer must provide to the third party all information regarding the back-office specifications necessary to establish the interface between the front office and the back office. The third party must be informed on all major changes to the back office that could impact the interface. The outsourcer will respond promptlywithin five working daysto any of the third partys requests to provide information or decisions that are reasonably necessary for the third party to develop the system and to provide the services. Responsibilities of the Third Party The third party warrants that the development of the We-BOP systems and the customer support function will be performed in a professional and workman-like manner consistent with industry standards reasonably applicable to such services. The third party will not disclose any confidential information about the outsourcer that it may obtain during the development process. Payment and Penalties For the development of the web-based application, the outsourcer will pay the third party as follows: 25 percent at the start of the project 50 percent after delivery of phase 1 25 percent after delivery of phase 2 For the help desk, the third party will charge a monthly fixed price of US $ xxxx.xx. If the web-based application cannot be delivered within the agreed timeline, a penalty of US $ xxxx.xx per day of delay will be charged by the outsourcer to the third party. All fees are to be paid by the outsourcer, in the currency of the invoice, to the account designated by the third party. All invoices are payable within 30 days from the date of the invoice. If the invoice is not settled within 30 days of receipt, the third party may add an interest and administrative charge of 1.5 percent of the respective invoice.
Signatures
CEO of the Outsourcer C O B I T i n A c a d e m i a TM Date CEO of the Third Party Date IT Governance Institute
15
COBIT
THE OUTSOURCING ISSUE QUESTIONS 1. You are confronted here with a detailed outsourcing process. Give an evaluation of this process. Describe the problems TIBO encountered or the risks they face, and identify best practices that, if implemented, would have prevented or alleviated the problems or risks. 2. Identify the roles that audit, IT management and the CEO should play in outsourcing. Compare these best practices to the roles actually played in TIBO. THE STRATEGIC ALIGNMENT ISSUE EXTRA BACKGROUND INFORMATION Business strategy is determined by the business strategy group, which is comprised of the CEO, vice presidents of retail and wholesale operations, and two outside members. One of the outside members is Charles Penrose, the former CEO of Accubank. Accubank was merged into TIBO 18 months ago. The other outside member is Nigel Sorrell. He is also a member of the board of directors. The business strategy group meets on the first Tuesday of each month to review progress on prior strategic initiatives and discuss the strategic direction of the bank. Information for progress reviews is usually obtained by inviting the project manager of the particular initiative to give a short presentation. The group tries to be aware of developments that may disrupt industry practices. In particular the group has been thinking about: Channel strategies Current trends Customer relations and retention The business strategy group has excellent documentation procedures. It maintains a strategic initiatives document that details each of the initiatives and charts progress on each. This document is distributed to the board of directors and the executive committee. The executive committee meets on the first Thursday of each month. A discussion of strategic issues is always included on the executive committees agenda. John Mitchell always makes sure that the banks strategic direction is given adequate attention. The board of directors meets quarterly. Strategic initiatives are always among the many items discussed by the board. Strategic decisions are passed down in the organisation for implementation. For example, the We-BOP initiative was passed to the director of IT for implementation. The director of IT assigned a project manager and then started looking for potential solutions for the We-BOP initiative. He decided that the safest way to enter the e-banking arena was to outsource this functionality.
16
C O B I T i n A c a d e m i a TM
IT Governance Institute
QUESTIONS 1. Analyse the governance implications of how TIBO handled outsourcing from the board of directors, executive and IT management levels. What would be the best practices to govern outsourcing contracts? 2. Why was the CEO not aware of the customer complaints before the report from the Ombudsman? How can this be avoided in the future? What governance changes do you propose to solve this problem? 3. As the board begins the CRM initiative, how could better alignment be achieved between IT and business strategy than was evident in the We-BOP initiative?
C O B I T i n A c a d e m i a TM
IT Governance Institute
17
COBIT
TEACHING NOTES
ADDITIONAL MATERIAL TO SUPPORT THIS CASE IN GENERAL COBIT Student Book chapter 3 (process DS5 and PO9) International Organisation for Standardisation (ISO) 17799 Introductory material on ITIL (IT Infrastructure Library, Office of Government Commerce, UK) FOR THE OUTSOURCING ISSUE COBIT Student Book (process DS2) Outsourcing web sites www.outsourcing.com Cutter Consortiums Sourcing and Vendor Relationships E-mail Advisorweekly e-mails: Go to cutter.com. Under Data, Analysis, and Advice, click on Sourcing and Vendor Relationships. Sign up for trial subscription to weekly e-mail service. There are also free reports available on the web site. Computerworld Outsourcingweekly e-mails (free): Go to www.cwrld.com/nl/sub.asp. Select Outsourcing, and register. Also, for their Outsourcing Knowledge Center, go to www.computerworld.com/managementtopics/outsourcing. Network World Go to www.nwfusion.com, enter the search word outsourcing. Tech Republic Go to www.techrepublic.com, enter the search word outsourcing. IDGContent of eight magazines, including InfoWorld, PC World, CIO Magazine, etc. Go to www.idg.net, enter the search word outsourcing. Typical IT outsourcing publications supplied by the teacher Optionally, provide students typical articles on outsourcing and COBIT references. Consider how change management is being handled (how it was organised, after the number of operational changes due to the complaints and errors). Provide students with a short description of the SLA, as used originally by the company. Use the outsourcing audit programme provided by ISACA to point students in the right direction, www.isaca.org. FOR THE STRATEGIC ALIGNMENT ISSUE Students have been given the companys approach to strategy provided on page 16. Students also have the PO1 material from the COBIT Student Book and the Board Briefing on IT Governance, 2nd Edition (www.itgi.org) as reference material.
18
C O B I T i n A c a d e m i a TM
IT Governance Institute
19
COBIT
The data could have been googled (found while using the Google search engine) by someone searching for a neighbours name. Ex-employee accounts could have been improperly deactivated. EXPECTED ANSWERS ON OUTSOURCING 1. You are confronted here with a detailed outsourcing process. Give an evaluation of this process. Describe the problems TIBO encountered or the risks they face, and identify best practices that, if implemented, would have prevented or alleviated the problems or risks. Point out the risks of the: Inadequate governance of the selection process CEOs lack of awareness or positioning to make this technology decision Lack of testing Elements not defined, or weakly defined, in the SLA Lack of security metrics Absence of business orientation of other metrics Inadequate customer complaint handling Inadequate reporting (which reports, who is responsible) Items not covered in the SLA of the outsourcing contract. Ideally, these should be identified by the students: Performance metrics Response time Availability of the system. It appears that customers can access the system only during specific times of the day. Security Testing (because of lack of testing some things are not processed or are processed incorrectly) Training (the third party developed an error file for managing errors, but the internal IT staff were not trained to manage this) Extra charges for the help desk in case the workload increases Requirements not fully thought out Change management (how was this organised after the number of operational changes due to the complaints and errors?) 2. Identify the roles that audit, IT management and the CEO should play in outsourcing. Compare these best practices to the roles actually played in TIBO. The comparisons are: Audit should have been involved in the development. There was new technology, high risk and a new outsourcing process for which there was no in-house expertise. There was a high customer-facing component with potentially large public exposure. Business management should have been more involved in determining the solution. They left the solution entirely to IT and therefore were not aware of the possible business risks related to outsourcing. IT management should have been more proactive in managing the outsourced contract and should not have left things solely to the third party.
20
C O B I T i n A c a d e m i a TM
IT Governance Institute
C O B I T i n A c a d e m i a TM
IT Governance Institute
21
COBIT
APPENDIX
The Financial Ombudsman Service is a powerful UK regulatory service. The Financial Ombudsman Service, located in the UK, may be able to help with a financial complaint you cannot sort out with a: Bank Building society Financial advisor Friendly society or credit union Insurance company Investment firm Stockbroker Unit trust company The Financial Ombudsman Service was set up by law to give consumers a free, independent service for resolving disputes with financial firms. It can help with most financial complaints about: Banking services Credit cards Endowment policies Financial and investment advice Insurance policies Investment and fund management Life assurance Mortgages Personal pension plans Savings plans and accounts Stocks and shares Unit trusts and income bonds It can impose fines, but the real impact of such incidents is the embarrassment resulting from the reports being made public.
22
C O B I T i n A c a d e m i a TM
IT Governance Institute